Whilst all lawful bases for processing personal data under the GDPR carry equal weight, and no one basis is better or stronger than another, many businesses may choose to process data on the basis of consent.
Consent, under the GDPR, can be freely given, but it can also be withdrawn, and businesses should be wary of processing data on the basis of consent where such consent has been removed or is inappropriate for the type of processing to be undertaken.
In this briefing note, we explore issues of consent as a lawful basis for processing data.
The principle of consent under the provisions of GDPR are reversed from those currently applicable under the Data Protection Act 1998. It provides an opportunity for data subjects to exercise control over how their data is used, and should only be used where a real choice in relation to consent is offered (ie if processing would happen because of a legal or contractual obligation, then it is misleading to offer data subjects the opportunity to consent).
Article 7 GDPR provides that;
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing his or her personal data”
This places a high burden on organisations, provides data subjects with the aforementioned choice and control over whether or not their data is processed, the extent of that consent, and the ability to provide consent which is transparent, open and freely given. In effect, the obligation is now one of positive opt-in consent rather than the current opt-out culture often used by businesses. Current methods of obtaining consent by default should no longer be used. Consent should be directed toward specific processing activities, rather than being a blanket catch-all.
The choice to opt-in has to be clear, concise and specific as to what the data subject is consenting to, and be separate from any other terms and conditions put forward when engaging with the data subject. Similarly, there should be an opportunity and a mechanism to enable the withdrawal of consent at any time. At all times evidence of the provision or withdrawal of consent should be documented and retained. Withdrawal of consent will not affect the lawfulness of any processing that took place based on that consent prior to withdrawal.
Consent, for this purpose, is defined as,
“…any freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Accordingly, where relying on consent as the lawful basis upon which data is being processed, businesses should ensure that their consent procedures are reviewed to reflect the amendments required by the GDPR. In particular, they should make sure that such processes move away from default consent which will, in effect, become unlawful.
If you are concerned about how you are obtaining consent to process data, or that your consents aren’t operating in the right way, then we can help. Please contact Richard Burraston on 01293 596984 or by e-mail at Richard.firstname.lastname@example.org or Paul Dungate on 01293 596981 or by e-mail at email@example.com for further advice and assistance.